About

Each month a panel of security experts will assign points to bug submissions, and award cash prizes accordingly. Payouts are handled at the discretion of the judges. All bug judges are volunteers. For the foreseeable future, all money coming from subscription fees goes straight to the researchers who submit bugs.

Problem?
Contact @cheapbugs on Twitter.

Application Security

Appsec submissions must receive a CVE to qualify for points. If it receives a CVE, you will get paid.

Bonus points:
  • Make a blog post about it.
  • Attach a PoC demonstrating the bug.
  • Attach a reliable exploit.
Disqualifiers:
  • The entry will be disqualified if details of the bug have already been posted widely.
  • The entry will be disqualified if the bug is plagiarized.
Send the advisory writeup to bugfeed@cheapbugs.net
Membership is currently not required to submit bugs. People with quality submissions will get free access for life. The subject line should contain the name of the software and bug class.

Writeup should include:
  • Summary of the software
  • Instructions for reproducing the issue
  • Security impact of the issue
  • issue timeline (discovery, disclosure, response, etc)
  • preferred payment method (bitcoin, paypal, privately negotiated)

BugFeed Service

Got a bug in some low end software? No security contact? No bug bounty? No problem!
Drop your shitty bugs on the cheapbugs bugfeed mailing list and get paid!

Looking for an exploit feed with Netflix prices?
$10 per month for unlimited access to the bugfeed and archives.

Bitcoin

Web Security

To qualify, the bug must have some security impact on a site ranked on Alexa top million.

The bug must also be one of the following:
  • SQL injection
  • Command injection
  • File disclosure
  • Exposed sensitive files
  • Simple/default admin password
  • XSS that can be used to hijack sessions
Send the advisory writeup to bugfeed@cheapbugs.net
Membership is currently not required to submit bugs. People with quality submissions will get free access for life. The subject line should contain the domain and bug class.

Writeup should include:
  • Summary of the service, including Alexa rating
  • Instructions for reproducing the issue
  • Security impact of the issue
  • issue timeline (discovery, disclosure, response, etc)
  • preferred payment method (bitcoin, paypal, privately negotiated)